Thursday, 25 September 2014

SECURITY ALERT: BASH BUG MOR HEARTBLEED?

Though only disclosed this morning, proof-of-concept exploits are already available for a critical remote code execution vulnerability security experts say is more widespread than Heartbleed.

CVE-2014-6271, a vulnerability in the command shell Bash, affects many Linux- and UNIX-based systems. Although no exploits have yet been seen in the wild, the pervasiveness and ease of exploit have earned it a CVSS score of 10.

The bug makes remote code execution possible,

even though Bash itself does not handle data from remote users. As Jim Reavis of Cloud Security Alliance wrote today:

A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs...

In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.

Like Heartbleed, the bug may affect a broad swath of systems -- including Apache servers, web servers running CGI scripts, and embedded systems in everything from control systems to medical devices to digital cameras." Continues